Thank you for this quick feedback.

On 15/09/16 09:04 PM, d...@deadhat.com wrote:
Hi!

A true random number generation strategy is no better than its
trustworthiness. Here is a suggestion for a simple scheme which rests on
a common digital electronic design.

[...]
Unavoidable current noise source:
   - thermal noise
   - excess current noise caused by the above resistor material
construction
Noise sources to be reduced (as a matter of sampling approach coherency)
   - electrostatic ...
   - electromagnetic ...

Any thoughts?


Yes.

A) Can you build 100,000,000 and expect them all to work?

No. The stated goal is to provide some scheme that a few wise guys may trust. So, building 20 units and having you as a satisfied user would be a more realistic goal. Microsoft and Apple seem to be trusted by the crowd.

B) Can you expect the those 100,000,000 resistors to behave in a
consistent manner or will the supplier switch compounds on you while you
aren't looking.  If you try and buy a paper-oil cap today, you'll get a
poly pretending to be paper-oil. I assume it's the same for obsolete
resistor compounds.

This brings the question of characterization of cheap material procured from the mass market channels. Obviously it is part of the detailed crafting process.

Realistically, one would be able to avoid the trouble here, e.g. by
buying a few rolls of 5000 resistors from a few manufacturers.

C) What are the EM injection opportunities to measured noise? Can you
saturate the inputs?

Also part of the implementation details to watch. This small circuit may be located in a Faraday cage. Hopefully its internals will remain tamper evident for a very paranoiac user.

About input saturation, the expected result of experimentation (with analysis) is some confidence that current noise is the main source of data fluctuation (I do not state which statistic to apply here for "data fluctuation"), and then EM could hardly induce the relevant resistor currents without e.g. a large coil within a short distance. Admittedly, this is not a definitive answer for a very paranoiac user.

Do you have a scheme overall immune to EM injection opportunities? Is the complexity of this scheme such that every external influence opportunities may be ruled out?

D) How are you planning to characterize the min entropy of the source? We
know the min entropy of well defined Gaussian noise, but what about shot,
1/f and all the other weird distributions?
   D_a) Can you distinguish that noise from system noise that might be
systematic rather than entropic.

Two aspects: entropy and the inherently compound measurement of multiple (and little understood) noise source ("noise from system" might be rather vague for a physicist).

About compound measurement, careful crafting of the wheatstone bridge (and its excitation voltage source) is expected to provide some assurance that current noise (thermal noise and excess current noise from resistor material properties) is the foremost contributor to data fluctuations.

Min entropy characterization: no definite plan. The raw 24 bits samples will be available for attempts at distribution characterization. I suspect however that a paranoiac user will fear that after gigabytes of data fed to the characterization process, the source might suddenly turn low entropy when the data is switched to the cryptographic random secret generation process.

E) Do you have an extractor algorithm in mind that is proven to work at
the lower bound for the min entropy you expect from the source?

I might have ideas in this area of concern but "proven extractor algorithm" is something orthogonal to the source: a proven algo would have its proof for a given "min entropy" abstract concept.

F) Are you wanting computational prediction bounds at the output of the
extractor or do you want H_inf(X) = 1.
   F_1) If you want the entropy answer, then you need to consider multiple
input extractors.
   F_2) Oh, and quantum-safe extractors are a thing now.

These questions, which I do not understand fully, would be orthogonal to the source.

G) Are any certifications required. In my experience P(Y) -> 1 as t ->
infinity. Projects who swore up and down that they weren't doing FIPS
would come back 2 years later, with a finished chip and ask "Can this be
FIPS certified", after a customer made their requirements clear.

This question need not be addressed now ( P(Y) unknown as t=0! ).

That's my usual list of questions. They may or may not apply to your
situation.

Thanks for sharing this.

- Thierry Moreau

_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Reply via email to